Bug 156737

Summary:

Calling then on promise in Workers may crash in Debug builds

Product:

WebKit

Reporter:

youenn fablet <youennf>

Component:

WebCore Misc.

Assignee:

youenn fablet <youennf>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, bburg, calvaris, cgarcia, commit-queue, fpizlo, joepeck, msaboff, ryanhaddad, sam

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=153781

Attachments:

Description	Flags
Unskipping fetch api debug tests	none

Description youenn fablet 2016-04-19 02:42:37 PDT

After studying bug 153781, it seems that the test causing crashes in Worker is the last one in LayoutTests/imported/w3c/web-platform-tests/streams/readable-streams/count-queuing-strategy-integration.js.
It basically does a lot of promise.then(...).then(...).

Comment 1 youenn fablet 2016-04-19 02:43:23 PDT

The following test sample crashes sometimes (not very often) on Mac and GTK when run through rwt with the following options "--debug -f --iterations=1000"

<!DOCTYPE html>
<meta charset="utf-8">
<div id="title">Testing promise chaining in workers. This test passes if not crashing.</div>
<div id="log"></div>
<script>
    var worker = new Worker(window.URL.createObjectURL(new Blob(
        ["Promise.resolve().then();\n",
         "postMessage('done');"],
        { "type" : "text\/javascript" })));
    worker.onmessage = function() {
        document.getElementById("log").innerHTML = "PASS"
        if (window.testRunner)
            testRunner.notifyDone();
    };

    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }
</script>

The log is similar to the one in bug 153781:
For GTK:
STDERR: ASSERTION FAILED: !exec->hadException()
STDERR: ../../Source/WebCore/bindings/js/JSDOMGlobalObjectTask.cpp(67) : void WebCore::JSGlobalObjectCallback::call()
STDERR: 1   0x7f2202ca87ad /localHome/youenn/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f2202ca87ad]
STDERR: 2   0x7f22094c8e4d /localHome/youenn/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::JSGlobalObjectCallback::call()+0x143) [0x7f22094c8e4d]
STDERR: 3   0x7f22094c8680 /localHome/youenn/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x5680680) [0x7f22094c8680]
STDERR: 4   0x7f22094c89b4 /localHome/youenn/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x56809b4) [0x7f22094c89b4]
STDERR: 5   0x7f22093e5c27 /localHome/youenn/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(std::function<void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) const+0x49) [0x7f22093e5c27]
STDERR: 6   0x7f22093e5b6f /localHome/youenn/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::ScriptExecutionContext::Task::performTask(WebCore::ScriptExecutionContext&)+0x23) [0x7f22093e5b6f]
STDERR: 7   0x7f220a61b3fb /localHome/youenn/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::WorkerRunLoop::Task::performTask(WebCore::WorkerRunLoop const&, WebCore::WorkerGlobalScope*)+0x6d) [0x7f220a61b3fb]

For MAC:
ASSERTION FAILED: !exec->hadException()
/Users/youenn/Documents/WebKit/Source/WebCore/bindings/js/JSDOMGlobalObjectTask.cpp(91) : void WebCore::JSGlobalObjectCallback::call()
1   0x11209c821 WTFCrash
2   0x1189d27ac WebCore::JSGlobalObjectCallback::call()
3   0x1189cef71 WebCore::JSGlobalObjectTask::JSGlobalObjectTask(WebCore::JSDOMGlobalObject*, WTF::PassRefPtr<JSC::Microtask>)::$_0::operator()(WebCore::ScriptExecutionContext&) const
4   0x1189cef3d _ZNSt3__128__invoke_void_return_wrapperIvE6__callIJRZN7WebCore18JSGlobalObjectTaskC1EPNS3_17JSDOMGlobalObjectEN3WTF10PassRefPtrIN3JSC9MicrotaskEEEE3$_0RNS3_22ScriptExecutionContextEEEEvDpOT_
5   0x1189ceda9 std::__1::__function::__func<WebCore::JSGlobalObjectTask::JSGlobalObjectTask(WebCore::JSDOMGlobalObject*, WTF::PassRefPtr<JSC::Microtask>)::$_0, std::__1::allocator<WebCore::JSGlobalObjectTask::JSGlobalObjectTask(WebCore::JSDOMGlobalObject*, WTF::PassRefPtr<JSC::Microtask>)::$_0>, void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&)
6   0x116f98b08 std::__1::function<void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) const

Comment 2 youenn fablet 2016-04-19 02:46:03 PDT

It appears that the job executed is the call of "promiseReactionJob", a JS built-in function defined in Source/JavaScriptCore/builtin/PromiseOperations.js

Any idea on the issue?

Comment 3 youenn fablet 2016-05-10 06:52:07 PDT

Digging a little bit further, the issue seems related to the web worker being asked to stop while the web worker is still wanting to run promiseReactionJob.

Requesting the web worker triggers the watch dog.
An exception is then sometimes hit either just before executing promiseReactionJob (in Interpreter::executeCall) or as part of op_watchdog.

Comment 4 youenn fablet 2016-08-05 05:35:37 PDT

I am not able to reproduce this error anymore.
Related to promises and Workers, I am sometimes hitting the following assertion:

  6 ASSERTION FAILED: promise.inherits(JSPromise::info())
  7 /Users/youenn/Apple/Safari/OpenSource/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp(63) : static JSC::JSPromiseDeferred *JSC::JSPromiseDeferred::create(JSC::ExecState *, JSC::JSGlobalObject *)
  8 1   0x109dd01ad WTFCrash
  9 2   0x10992b97e JSC::JSPromiseDeferred::create(JSC::ExecState*, JSC::JSGlobalObject*)
 10 3   0x10d19bf95 WebCore::callPromiseFunction(JSC::ExecState&, long long (*)(JSC::ExecState*, JSC::JSPromiseDeferred*))
 11 4   0x10d87f0bc WebCore::jsWorkerGlobalScopePrototypeFunctionFetchRequest(JSC::ExecState*)
 12 5   0x5be8827ae8c8
 13 6   0x5be8828a28e7
 14 7   0x1099f334b llint_entry
 15 8   0x5be8828968b3
 16 9   0x1099ec2ce vmEntryToJavaScript
 17 10  0x1097df7d7 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
 18 11  0x109766d37 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
 19 12  0x109022838 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
 20 13  0x109022a1b JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
 21 14  0x1098ce40b JSC::JSJobMicrotask::run(JSC::ExecState*)
 22 15  0x10d2aba77 WebCore::JSGlobalObjectCallback::call()
 23 16  0x10d2ab931 WebCore::JSGlobalObjectTask::JSGlobalObjectTask(WebCore::JSDOMGlobalObject*, WTF::Ref<JSC::Microtask>&&)::$_0::operator()(WebCore::ScriptExecutionContext&) const
 24 17  0x10d2ab7d4 WTF::Function<void (WebCore::ScriptExecutionContext&)>::CallableWrapper<WebCore::JSGlobalObjectTask::JSGlobalObjectTask(WebCore::JSDOMGlobalObject*, WTF::Ref<JSC::Microtask>&&)::$_0>::call(WebCore::ScriptExecutionContext&)
 25 18  0x10c87b551 WTF::Function<void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) const
 26 19  0x10c8669fd WebCore::ScriptExecutionContext::Task::performTask(WebCore::ScriptExecutionContext&)
 27 20  0x10e7e0619 WebCore::WorkerRunLoop::Task::performTask(WebCore::WorkerRunLoop const&, WebCore::WorkerGlobalScope*)
 28 21  0x10e7df78b WebCore::WorkerRunLoop::runInMode(WebCore::WorkerGlobalScope*, WebCore::ModePredicate const&, WebCore::WorkerRunLoop::WaitMode)
 29 22  0x10e7df2f6 WebCore::WorkerRunLoop::run(WebCore::WorkerGlobalScope*)
 30 23  0x10e7e7930 WebCore::WorkerThread::runEventLoop()
 31 24  0x10c7d82a8 WebCore::DedicatedWorkerThread::runEventLoop()
 32 25  0x10e7e774d WebCore::WorkerThread::workerThread()
 33 26  0x10e7e72f5 WebCore::WorkerThread::workerThreadStart(void*)
 34 27  0x109e397e9 WTF::createThread(void (*)(void*), void*, char const*)::$_0::operator()() const
 35 28  0x109e397bd void std::__1::__invoke_void_return_wrapper<void>::__call<WTF::createThread(void (*)(void*), void*, char const*)::$_0&>(WTF::createThread(void (*)(void*), void*, char const*)::$_0&&&)
 36 29  0x109e39769 std::__1::__function::__func<WTF::createThread(void (*)(void*), void*, char const*)::$_0, std::__1::allocator<WTF::createThread(void (*)(void*), void*, char const*)::$_0>, void ()>::operator()()
 37 30  0x109448faa std::__1::function<void ()>::operator()() const
 38 31  0x109e38407 WTF::threadEntryPoint(void*)
 39 LEAK: 1 WebProcessPool
 40 LEAK: 1 WebPageProxy

Comment 5 youenn fablet 2016-09-01 00:51:26 PDT

It might be the case that https://bugs.webkit.org/show_bug.cgi?id=161426 fixed the issue.
I will try reenabling fetch tests on debug bots.

Comment 6 youenn fablet 2016-09-01 00:57:09 PDT

Created attachment 287608 [details]
Unskipping fetch api debug tests

Comment 7 WebKit Commit Bot 2016-09-01 01:28:36 PDT

Comment on attachment 287608 [details]
Unskipping fetch api debug tests

Clearing flags on attachment: 287608

Committed r205284: <http://trac.webkit.org/changeset/205284>

Comment 8 WebKit Commit Bot 2016-09-01 01:28:41 PDT

All reviewed patches have been landed.  Closing bug.